← Back to Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

V-269530

CAT II (Medium)

AlmaLinux OS 9 audit system must retain an optimal number of audit records.

Rule ID

SV-269530r1050413_rule

STIG

Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

Version

V1R6

CCIs

CCI-000140

Discussion

max_log_file (size in megabytes) multiplied by num_logs must make full use of the auditd storage volume (separate to the root partition). If max_log_file_action is set to ROTATE or KEEP_LOGS then num_logs must be set to a value between 2 and 99.

Check Content

Verify that AlmaLinux OS 9 is configured to make full use of the auditd storage volume when rotation is enabled, with the following command:

$ grep num_logs /etc/audit/auditd.conf

num_logs = 5

If the value of the "num_logs" option is not between 2 and 99, is commented out, or is missing, this is a finding.

Fix Text

Configure AlmaLinux OS 9 to make full use of the auditd storage volume with rotation enabled.
 
Add or update the following line ("num_logs" can be set to a number between 2 and 99) in the "/etc/audit/auditd.conf" file:
 
num_logs = 5